CVE-2024-52307

Nov. 27, 2024, 4:15 p.m.

None
No Score

Description

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. authentik 2024.8.5 and 2024.10.3 fix this issue. Since the /-/metrics/ endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik.

Product(s) Impacted

Product Versions
authentik
  • ['2024.1.0', 'before 2024.8.5']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-208
Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

https://github.com/goauthentik/authentik/commit/5ea4580884f99369f0ccfe484c04cb03a66e65b8
https://github.com/goauthentik/authentik/security/advisories/GHSA-2xrw-5f2x-m56j
http://www.openwall.com/lists/oss-security/2024/11/27/1

Tags

security-advisories@github.com
CWE-208
2024-11-21
CVE-2024-52307

Timeline

Published: Nov. 21, 2024, 6:15 p.m.
Last Modified: Nov. 27, 2024, 4:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.